Security Basics mailing list archives
Re: Hardware vs Software Firewall/Router
From: "James Lee Gromoll" <jgromoll () hotmail com>
Date: Wed, 02 Apr 2003 11:44:36 -0800
My $.02,1. If you use software loaded on each host exposed to the web, then you will have failed right off since any attacker all ready hits the host before he is dealt with.
2. If you mean to use software loaded on a PC acting as a firewall, then this is a much better idea and offloads the system overhead as well.
3. If you plan to use a hardware solution, you still have somewhat of a software solution anyhow. This is because now the software is simply burned into PROMs or the like, but in the end it is still code subject to compromise. While it is perhaps a bit tighter than others it is still code, and i have faith all code can eventually be exploited.
4. I beleive the best approach is a combination of hardware and software solutions.
5. Routers are good. They can segment and isolate your net to a great degree. Some routers offer advanced features that allow a high degree of control over traffic on the net (Port filters, etc.) I would get at least one router.
6. Firewalls are also good. They definitely filter and limit traffic in and out of a net. It is best if you have a dedicated firewall be it an appliance or a PC running firewall software.
7. There are a few FREE firewalls available. IPCOP and Smoothwall are two. They require a dedicated PC with two NICs or one NIC and a modem. The set up is remarkably easy and a 200 MHz PC will provide quite adequate bandwidth at cable modem speeds and T1 speed also.
8. For the cost of a cable/DSL one port router, it is silly to not have a router.
9. A simple low $$ solution would look like this WAN/Internet | Linksys Single port Router Cost <40$ | Smoothwall PC Cost junker PC ~$100 | LAN10. These can be setup to be remotely administered, but I beleive the Linksys still has an unresolved vulnerability when remote admin enabled. Smoothwall can use SSH for remote admin.
11. The argument that the harware firewalls have more vulns may bear credibility, since the code on them can be quite unique and once compromised the fix may be more difficult to implement. Basically the same argument that it is easier to fix a Windows bug than it is to fix a BIOS bug. It really depends on the skill level of the programmers.
ps. Oh, by the way, Linksys is becoming Cisco.
From: <nsm () e-paradise net> To: security-basics () securityfocus com Subject: Hardware vs Software Firewall/Router Date: 2 Apr 2003 03:11:54 -0000 I work for a consulting company that services businesses with 30 to 200 clients. Our IT Manager likes to use a Linksys, or a 3Com hardware firewall solution. He is also thinking of introducing the Symantec Raptor (I could be incorrect on the name) software solution. We are mostly a windows based firm with little *nix experience, so most software solutions are out already. My reason for posting is: I would like to provide a valid argument for not using a software solution, and making our hardware solutions a little more upscale, say PIX, Nokia, Checkpoint etc. The IT managers argument is that he finds far less vulnerabilities in the software solutions or the Linksys and 3Com than what he does in the PIX etc. I am of course familiar with all of the basic differences, I am more so looking for valid argumentative points. Any input would be greatly appreciated. ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
_________________________________________________________________MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
Current thread:
- Hardware vs Software Firewall/Router nsm (Apr 02)
- RE: Hardware vs Software Firewall/Router David Gillett (Apr 04)
- Re: Hardware vs Software Firewall/Router Xaos (Apr 04)
- <Possible follow-ups>
- Re: Hardware vs Software Firewall/Router James Lee Gromoll (Apr 03)
- Re: Hardware vs Software Firewall/Router Jim Miller @ Cox (Apr 04)
- Re: Hardware vs Software Firewall/Router David Vertie (Apr 04)
- RE: Hardware vs Software Firewall/Router Chris Berry (Apr 04)